Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Thursday, February 25, 2010

Regular expressions are fairly easy to use and manipulate when searching through a series of data. I ingest all of my OSSEC alerts into Splunk and can search and drill down into the data with a click of a button. However, I thought it would be neat to build my own Splunk 'Field' using a regex (regular expression) based on the OSSEC Rule and the correlated event that occured on my systems. Then build a Splunk report on the data every 24hrs. The process is simple:

Create the Search --> Save the Search --> Build a Report

Create the Search- Search path field in Splunk>

(This will search through all the data in your indexes and build a custom"OSSEC_RULE" field within your search criteria. The OSSEC_RULE field will specify each reported "Rule: ????" from your OSSEC alerts)

- Select "Last 24 hours" from time line drop down menu

- Click the green arrow to perform your search!

- When the alerts start building into your page you will notice the "OSSEC_RULE" field on the left hand side of your Splunk Search page, along with the other fields.

- If it is not there, click on the "All ??? fields" link, locate the OSSEC_RULE field, click on the green arrow to add it to your "Selected fields" and click the "Save" button. Now you should see the OSSEC_RULE field on the left hand side. If you still don't see it, check and make sure search criteria is correct.

Save the Search- Now click on "Save search" located on the top right of the Splunk Search page

- Create a custom Name, Description, Time range and click the "Schedule this search" check box, then click the Save button

Build a Report- Now click on "Build report" located next to the Save Search link

- Click the "Define report data through a form" link

- Select 24hrs from the Time Range dropdown menu, then click the Next button to format the report

- In the Report type drop down menu select "Rare values"

- Now select "OSSEC_RULE" from the drop down menu for the specific Field to use for the report

- Click the "Next Step" button to format the report(Check out all of the OSSEC Rules that were found in your Splunk system...kind of cool)

- Choose the Chart type, Chart title, click apply then click the "Save" button on the top menu

- Create a Name, Description, Time Range then click "Schedule this search".

Sunday, February 21, 2010

ElementOSElement v1.0 is a linux-based operating system (based on Ubuntu) for you Home Theater PC (HTPC) featuring a ten-foot user interface that is designed to be connected to your HDTV for a digital media and internet experience within the comforts of your own living room or entertainment area. I recently evaluated the product to see if was suitable enough for the average home PC user. You can get the latest Element OS from http://www.elementmypc.com. Version 1.0 comes with many different home PC features to help you manage internet media, games, music, video and photos.

The built-in media center application is XBMC (Xbox media center). However, you can download and install other media center apps like Boxee, Moovida and Hulu. These applications can also be downloaded from the element web site. Element provides its users with a full fledged computing and home entertainment experience. After evaluating the product I wouldn't see it being to difficult for the average PC user to figure out. I could also see myself replacing my cable and DVD boxes at home with a new HTPC.

How To Set it upI used a Virtual environment to install/test the Element OS. I was pretty surprised how well it ran with a 10GB hard drive, single processor and 1024mb of memory. However, I would not recommend this for an official HTPC. You can find the minimum/recommended requirements for running Element on their website.